|
Wired News: Great Taste, Less Privacy by Rattle at 11:40 am EST, Feb 6, 2004 |
] A patron walks into a bar and orders a drink. The ] bartender asks to see some ID. Without asking permission, ] the barkeep swipes the driver's license through a card ] reader and the device flashes a green light approving the ] order. ] ] The bartender is just verifying the card isn't a fake, ] right? Yes, and perhaps more. [ Best freak-out tone ] Now the FBI is going to know everywhere I ever go!! Is no place save anymore!? [ / ] Seriously though.. Just last night, out with ballsdeep, he had a problem with the way this girl ID'd him, making it necessary for us to flee the bar.. That didn't even involve a scanner. I think she was hitting on him. She asked me my sign. Usually, my Jersey license just gets a kinda sneer.. Something you have and something you know? That's a better way of validating the ID then asking my birthday. This night, the bar got a lot of information. However, I feel bd misinterpreted the situation. Vegas for instance. What can you say after that? Anyway.. After a few very high profile shit storms come down on venues that misuse collected information, it should become apparent that if you screw your customer base, they will find out, and not be happy about it. People still do need to be more aware of when their information is collected and how it is used. Entities who collect information also need to be aware that it is their responsibility to protect the information they collect from being compromised and misused. Oh yeah. I am a big fan of "opt-out".. As I was reading this article, I found myself contemplating a "the ID doesn't leave my site" policy. The situations I really don't like, are the ones when someone takes your ID away from you and checks it. Like restaurants where the bartender has to check the card, so the waitress takes it. Its not like my credit card, it doesn't need to be verified against something external. That shouldn't be necessary. Everytime that happens, I feel like they take the thing somewhere, photo copy it, it gets entered in some database, images of old punchcard computers fly through my head and morph into things spitting out junk-mail envelopes, etc.. I don't mind when the person I'm interfacing with needs to know who I am, and authenticate my age. That's ok. Its when the information spreads outside that transaction space, it becomes a problem. I feel like I should ask for a printed privacy policy. This whole situation is one of the reasons I love my Jersey ID. No barcodes. No chips. No mag strips. Its laminated even! Very low tech. However, a skilled eye can tell a fake. I'm going to miss it when I switch over to Cali. Here is a question for the MemeStreams community.. If you were proposing legislation for laws governing how venues can collect and use information from IDs, what would you propose? |
|
RE: Wired News: Great Taste, Less Privacy by Decius at 1:57 pm EST, Feb 7, 2004 |
Rattle wrote: ] Here is a question for the MemeStreams community.. If you ] were proposing legislation for laws governing how venues can ] collect and user information from IDs, what would you propose? Damn, Rattle, why don't you ask a complex question. A few thoughts: 1. Most pro privacy people are libertarians, and so they generally shy away from government regulation. This has resulted in the situation we have today online, which is that entities must disclose what they do with your data, and you get to make choices. This is good in the sense that entities have been more conservative with what they do because its visible and consumers have been able to apply market pressure to reign things in. Should the government force me to be private even if I don't want to be? I don't think so. The government should create a framework in which we can make choices. 2. The best analogy I've heard here is to copyright. There are a great deal of very strict rules about what an individual can do with commercial information. On the other hand, the rules about what a commercial entity can do with a individual's personal information are very liberal. Looking at the situation in this light is illustrative of whose interests are upheld. The relationship is direct. Congress approved "no judge" subpoenas that the RIAA can use to obtain your personal information in order to protect their copyrights. Furthermore, when lack of privacy causes problems, like spam, watching the government react is a lot like watching paint dry. The system is not responding to your interests. One of the worst offenders, of course, is the government itself. They create all these IDs. Furthermore, they usually sell the databases to all comers. In Texas you can get the DMV database on CD-ROM. Someone took it and setup a website where you could search it. People got pissed. So Texas passed a law making websites like that illegal. They still sell the CDs and the website has moved offshore. Talk about missing the point. We ought to curtain the data the government shares. 3. The most important thing that we need is awareness and sophistication about this issue with the general populace. Levels of understanding have improved a great deal in the last 20 years, but there is still a lot of road to cover. There is no reason why Google can't discard the last two octets of your IP address. It will not impact their demographics at all, but it would provide enough protection against turning their database into a thought crime monitor. And they'll do it, but only if we demand it. |
|
| |
RE: Wired News: Great Taste, Less Privacy by Rattle at 6:37 pm EST, Feb 7, 2004 |
Decius wrote: ] Should the government force me to be private even if I don't ] want to be? I don't think so. The government should create a ] framework in which we can make choices. They can force you to keep certain (or better) records, and have been doing so in various industries such as healthcare and accounting. If that's happening, rules that say what information can't be kept (or used in certain ways) could be crafted as well. I could envision laws that either have something to do with protections or disclosure. The disclosure angle is both tricky and interesting. Think about your average online transaction, and the various parties your information passes to/from. Might be a group like Amazon, Visa, your bank, and UPS. There are also a few additional parties in there, such as companies contracted to handle transactions, accounting, etc. Its probably complex as hell.. Picture a requirement, in lets say 5 years, that every company you deal with online has to be able to present you with a detailed individualized privacy report. That type of empowering of the consumer would result in an interesting form of distributed oversight, not to mention education and awareness.. That's the type of thing I'd like to see. ] The system is not responding to your interests. The number of people concerned about these issues is growing, as we said it would. I am still confident that will change. ] We ought to curtain the data the government shares. I am of the opinion that some top down clue is necessary. Most of the real problems occur at the "DMV level". Note I said top down clue, not top down control. I think these ID systems should all remain state level concerns, but a shared strategy or set of guidelines for protection of privacy seems like a good idea. The national ID doesn't. ] 3. The most important thing that we need is awareness and ] sophistication about this issue with the general populace. ] Levels of understanding have improved a great deal in the last ] 20 years, but there is still a lot of road to cover. This is one of the reasons I think strategies that push for more disclosure are good ideas. As you indicated earlier, the absolutist approach to privacy can't work. The best way to teach someone is to throw information at them, in context. People don't spend much time reading privacy policies, but they do go over whatever "my account" information the site provides them. That is where the consumer needs to be provided with more information. ] There is no reason why Google can't discard the last two ] octets of your IP address. It will not impact their ] demographics at all, but it would provide enough protection ] against turning their database into a thought crime monitor. ] And they'll do it, but only if we demand it. Google might disagree with you. That may cause more problems for them then it solves for anyone. Given cookies and ways to cross-reference them with things like Orkut, it really wouldn't matter either. The weak part in the chain, at least as far as the Patriot Act angle goes, is the removal of judicial protections. Not the information or the ability to relate it. With most ID concerns, the problem is parties releasing information without permission, or failing to protect information. Companies addressing these issues will become in vogue at some point. Just mark my words. It will be used to build trust with their customer base. In terms of long term trust, many of the companies in the position to be a "leader" in the space have only been around for a few years. Google should care right now about how I'm going to feel about them in 4 more years. Same for Amazon, B&N, etc.. |
|
Wired News: Great Taste, Less Privacy by k at 3:26 pm EST, Feb 6, 2004 |
Here is a question for the MemeStreams community.. If you were proposing legislation for laws governing how venues can collect and user information from IDs, what would you propose? [ this is obviously a growing concern, especially if we start migrating to smart card based id's in the future. i'm glad the wired article brought that up, because it's likely to have a place in our wallets soon enough. The major security concerns of these systems has been debated in the smartcard space for years (Schnier has a lucid intro to the vulnerabilities on his web site), and they're nontrivial to resolve. Legislation will help, but only insofar as laws can mandate system criteria and transparency which enable the kinds of security and privacy we, as consumers, want to have. i think the smart cards are going to have to integrate a means for card holder verification of the data transaction... for instance, the bartender swipes, and an LCD on the card indicates that their system requested your age, gender, address, & phone number, so you deny the request, or enable only the age & gender to be transmitted... the card only transmits after you enter a pin (or biometric id if we're already dreaming) validating the transaction. thus, the terminal can't get more than you allow it to. Legislation could be used to enforce the kinds of data various requestors have a right to require (i.e. the law establishes that a bar has no explicit right to know anything other than your age, and can't deny you for failing to provide other information). That may be legally troublesome... i'm no lawyer, but we already say that places can't refuse you on the basis of color or gender, so maybe not such a great leap. smartcards have other issues in situations where the cardholder can't be trusted with the data inside, but we resolve a lot of those kinds of issues already with credit cards, and i see no fundamental reason why they can't be worked out in SC's, plus they're ancillary to this particular discussion. -k] |
|
|